I've become used to the script kiddies sending out large connection
requests (I do have a threshold set). They are able to get around it by
other connections. For example, I had 857 connects of this:
Aug 28 11:57:35 mail postfix/smtpd[20544]: connect from
unknown[5.232.194.77]
Aug 28 11:57:35 mail postfix/smtpd[20544]: warning: Connection rate
limit exceeded: 56 from unknown[5.232.194.77] for service smtp
Aug 28 11:57:35 mail postfix/smtpd[20544]: disconnect from
unknown[5.232.194.77] ehlo=1 auth=0/1 unknown=0/2 commands=1/4
While it may be time for an external tool like fail2ban, I'm wondering
if there are other measures I can take, that may break things (but I'm
the only one that uses this system), such as changing port numbers of
certain services.
I do block the IP spaces when I see this, which is a no-brainer. But I
wonder how others are mitigating this activity. Pointers, advice
welcomed (and thanks in advance).
_F
- Tons of SMTP AUTH failures in logs Forrest
-
